Thanks to all for the responses:
"David A. Massaro, SUNY ITEC" <MASSARDA_at_mail.suny.edu>
"Degerness, Mandell ITSD:EX" <Mandell.Degerness_at_gems2.gov.bc.ca>
"Dayv Gastonguay" <noghri_at_nauticom.net>
Stephen LaBelle <labelles_at_mscd.edu>
John Peter Gormley <jgormley_at_grizzly.scu.edu.au>
"A. Mahendra Rajah, Systems Manager"
Robert Katz <katz_at_alf.dec.com>
Masato Bud Uesu <bud_at_dominedeus.com>
MC.Vialatte_at_cust.univ-bpclermont.fr
The following advice is for Digital UNIX 4.0 or better, using C2
security and not using NIS. You can use the following commands to
check your system:
/usr/sbin/sizer -v
rcmgr get SECURITY
rcmgr get NIS_CONF
The consensus is to use "edauth" plus "vipw". One way is:
1) use "edauth -r user_name" to remove the TCB entry for the user
2) Use "vipw" to remove the line in /etc/passwd containing the user's entry.
3) Recreate with your favorite tool for adding users (such as "useradd").
Another:
1) use "edauth" to get rid of ":u_retired" in TCB:
/usr/tcb/bin/edauth -g user_name | sed 's/:u_retired:/:/' |
/usr/tcb/bin/edauth -s
2) use "vipw" to change ":Retired*:" to ":*:" in /etc/passwd
One person said just remove Retired in /etc/passwd and use "passwd" to set
the password and didn't mention "edauth", another said the Retired in
/etc/passwd doesn't matter.
One person also mentioned /etc/group and another commented on the home
directory, which in our case was already removed, since we use "userdel -r".
The most important aspect of the answers is that the respondents believe
"vipw" is safe under C2 (when used with care.
- Jerry Berkman, UC Berkeley
Original question -
On Tue, 16 Mar 1999, Jerome M Berkman wrote:
> We have a user who has returned. We ran userdel when the user left,
> so the account is listed in /etc/passwd as:
>
> dcho:Retired*:40358:23:...
>
> The user has returned and wants his same login back. How do I
> un-retire the account? We are running Digital UNIX 4.0D, C2 security.
> I can use "usermod" to change the shell, but the account is not
> usable:
>
> Digital UNIX (uclink4.berkeley.edu) (ttyq8)
>
> login: dcho
> Password:
> Account has been retired -- logins are no longer allowed.
>
> Same for ftp. I tried to change the login with usermod and then
> create a new account with that logon, but usermod will not change
> the login of a retired account.
>
> The other option I've thought of is vipw. However, you are not
> supposed to use that with C2. And the last time I used vipw,
> over a year ago, disaster soon followed, so I do not want to risk
> using vipw. (I think we had to upgrade to cure the problems).
>
> - Jerry Berkman, UC Berkeley
>
Received on Wed Mar 17 1999 - 16:00:32 NZDT